The Spanish DPA fined a hospital for obtaining consent through pre-ticked boxes for commercial communication and data processing and failure to timely provide a copy of the form.
The hospital, acting as the controller of the data subject's personal information, utilized a deceptive pattern by preselecting two consent boxes in the privacy notice without the data subject's knowledge or consent. The first box referred to commercial communications, and the second one referred to the consent to disclose personal data regarding the data subject's stay at the hospital and room number with third parties upon request. The hospital claimed that the pre-ticked box was a human error and that the clause about communication of patients' personal data to third parties did not apply to the data subject. However, the DPA found that the hospital violated Articles 6(1) and 15 in connection with Article 12 GDPR by unlawfully processing data for third-party sharing and commercial purposes and failing to process the data subject's access request in a timely manner. The DPA further observed that the use of pre-ticked boxes rendered consent invalid, resulting in a lack of legal basis under Article 6(1) GDPR. The hospital's action violated Article 7 GDPR and Recital 32 GDPR, which require that the consent request meet specific requirements.
The DPA had initially imposed a fine of €10,000 each for the violation of Articles 6(1) and 15 in connection with Article 12 GDPR. However, the final fine amount was reduced to €16,000 as the controller benefited from two reductions. One reduction was granted for accepting guilt, and the other was given for voluntarily paying the fine.
D.A.A.A (Claimant) and Hospital Recoletas Ponferrada, S.L.
Related deceptive patterns
Preselection employs the default effect cognitive bias – a psychological phenomenon where people tend to go with the option that is already chosen for them, even if there are other choices available. Providers know this and often use it to take advantage of consumers. A common approach is to show a pre-ticked checkbox, though there are various other ways of doing this, including putting items in the user's shopping cart, or pre-selecting items in a series of steps. There are lots of reasons why this is a powerful deceptive pattern. Firstly, there’s simply the matter of awareness - users have to notice it, read it and work out what it all means. If the user doesn't, they'll scroll past completely unaware of the implications. There are other cognitive biases that may be employed in his deceptive pattern. For example, the content may be written to make the user feel that people to feel other people like them would accept the default so they should too (targeting the social proof bias). Alternatively, the content may use an authority figure to pressure users into accepting the default (targeting the authority bias).
Legal basis for processing personal data are performance of contract, legal obligations compliance, protection of vital interests, controller's legitimate interests, and data subject's consent.
Ensures transparent information and easy access for individuals to their personal data processing, with the right to obtain a copy in a clear and common format.
Grants individuals the right to access their personal data and receive information on how it is processed.